Microsoft says ransomware attack should be a ‘wake-up call’ for governments

The ransomware, called "WannaCry," is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that haven't updated their systems are at risk.

Microsoft says ransomware attack should be a ‘wake-up call’ for governments

The ransomware, called "WannaCry," is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that haven't updated their systems are at risk.

By Jackie Wattles

NEW YORK (CNNMoney) — Microsoft’s president and top lawyer said Sunday that the ongoing cyberattacks — which experts are calling the largest in history — should be a “wake-up call” for governments.

Hackers have used “ransomware” to freeze at least 200,000 computers so far, and they have demanded that users pay up to regain access.

The attacks exploited the computers because they were running outdated versions of Microsoft’s Windows operating system. Brad Smith, who is Microsoft’s chief legal officer, said Sunday in a blog post that his company, its customers and the government all share the blame.

Smith said Microsoft has the “first responsibility” to address the problem, and added that the company is working “comprehensively” to fight threats.

But he also placed fault in the governments. The security flaw that hackers used to launch the attacks Friday was made public after information was stolen from the U.S. National Security Agency, which routinely searches for flaws in software and builds tools to exploit them.

The government is not legally bound to notify at-risk companies. Smith says that’s wrong.

He argued there should be “a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote.

The NSA alerted Microsoft about the issue three months ago and Microsoft released an upgrade that patched the flaw. But some experts have argued this attack could have been vastly mitigated if the NSA told Microsoft sooner.

Smith also called cyberattack protection a “shared responsibility” between companies and customers.

Companies and institutions are often slow to update their computers because it can screw up internal software that is built to work with a certain version of Windows.

“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he wrote. “Otherwise they’re literally fighting the problems of the present with tools from the past.”

He said tech companies, customers and the government need to “work together” to protect against attacks.